802.1x Wired connection with RADIUS server authentication

Dror
Just browsing

802.1x Wired connection with RADIUS server authentication

Hello all,

 

I hope you be able to assist me because I'm frustrated.

 

I have 2 Meraki Switches MS-225 for Lan connection only. No vlans. all ports are configured on Vlan 1.

my goal is to authenticate any computer in my organization by user domain group.

I already installed RADIUS server and configured it. its located also on the same network on my Meraki switch.

I tried all the authenticated methods I have in the NPS but non of them works for me.

Test connectivity to the RADIUS server is working fine to all 4 Meraki switches.

 

Currently my conditions are NAS Port Type Ethernet or cable along with Domain users User Groups. 

Authentication method is Microsoft: Protected EAP (PEAP).

Not sure if i select domain user group , how is the RADIUS server authenticate it ? by user creds or do I need to validates the users with certificate as well?

The problem is , once i assign the Access Policy to any port its getting red and lost connection to the client computer.

 

Please help me, what is the exact configuration I need to set on the RADIUS/NPS server ??

 

Thanks in advanced.

 

Dror

 

Meraki1.jpgMeraki2.jpgMeraki3.jpgMeraki4.jpgMeraki5.jpgMeraki6.jpgMeraki7.jpg

 

 

28 Replies 28
alemabrahao
Kind of a big deal
Kind of a big deal

Check the documentation.

 

https://documentation.meraki.com/MS/Access_Control/Configuring_802.1X_Access_Policies_on_MS_Switches...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Dror
Just browsing

Hi,

 

Thanks for you reply.

Yes, I tried all these docs from Meraki but unfortunatly its not helps me.

I preaty sure I need to set the right configurations on the NPS side but so far nothing works for me.

alemabrahao
Kind of a big deal
Kind of a big deal

Have you checked the NPS logs?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Dror
Just browsing

I could find logs only in Event viewer but not something i could point on.

The thing is that I need to know which uthenticated method should i use for domain user authentication.

Is there other place to see NPS logs?

alemabrahao
Kind of a big deal
Kind of a big deal

Check which Connection Request policy/Network policy is matching.

 

alemabrahao_0-1690980038644.png

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Cisco_CCIE
Just browsing

You need to send the radius attribute Tunnel-Pvt-Group-ID with the VLan ID when the user authenticates.

Dror
Just browsing

You mean like this ?

 

the port has disabled again after this change. Meraki8.jpgMeraki9.jpg

KarstenI
Kind of a big deal
Kind of a big deal

Did you edit the PEAP EAP type to set the inner Authentication method? That is not the MSCHAPv2 that is shown below that box. It has to be configured inside the PEAP config.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
Dror
Just browsing

I've removed the inside MSCHAPv2. Port still disabled.😕

 

alemabrahao
Kind of a big deal
Kind of a big deal

Check which Connection Request policy/Network policy is matching on logs.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
KarstenI
Kind of a big deal
Kind of a big deal

WHAT did you remove? You have to make sure to have the right inner method.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
Dror
Just browsing

And what are they ?

 

these my current Authentication methods:

Meraki10.jpg

KarstenI
Kind of a big deal
Kind of a big deal

Likely the "Secure Password". Did you add it?

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
Dror
Just browsing

it was there before. it didnt help. port still get disable

if you sure it has to be there i will add it back.

 

Do I need to use any certificate in order to authenticate the users ?

KarstenI
Kind of a big deal
Kind of a big deal

The certificate shown in NPS must be trusted on the end devices.

You really should get a consultant to help you. 802.1X is one of the most complex topics and is especially hard with NPS.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
alemabrahao
Kind of a big deal
Kind of a big deal

Guys the problem is that it's not matching with any connection policy.

 It's very common, create a new connection policy with the the same configuration that you create in the network policy.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Dror
Just browsing

I dont have User Group under connection request policy like I have in Network Policy

alemabrahao
Kind of a big deal
Kind of a big deal

I don't remember exactly what the config should look like, but this might help.

 

alemabrahao_0-1690991741043.png

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Dror
Just browsing

I tried many consultants before i posted here. 😉

Where can i see the certificate in the NPS ? Couldnt find it.

 

Thanks

alemabrahao
Kind of a big deal
Kind of a big deal

Really? Don't have a certificate installed? You need an MS Windows server expert.

 

https://learn.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/ins...

 

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Dror
Just browsing

OK but non of the logs i get says something about certificate..

alemabrahao
Kind of a big deal
Kind of a big deal

This is the basics of 802.1x.

 

 

https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/h...)

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
KarstenI
Kind of a big deal
Kind of a big deal

If the connection request policies are messed up, it doesn't even get to the point where the certificates are relevant. When looking at the screenshot above, it seems that you assigned the root cert to the NPS. Let's say this is as least "unconventional".

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
Dror
Just browsing

Any change on NPS configuration bring a different logs. I dont know what are the right configuration i need to set.

 

this is the latest logs I've received:

 

 

Network Policy Server denied access to a user.
 
Contact the Network Policy Server administrator for more information.
 
User:
Security ID: NULL SID
Account Name: host/TACCPC333.claimscon.org
Account Domain: -
Fully Qualified Account Name: -
 
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
Called Station Identifier: 08-F1-B3-34-3F-94:
Calling Station Identifier: 70-B5-E8-3A-31-E7
 
NAS:
NAS IPv4 Address: 192.168.250.51
NAS IPv6 Address: -
NAS Identifier: -
NAS Port-Type: Ethernet
NAS Port: 5
 
RADIUS Client:
Client Friendly Name: TA Switch LAN 1
Client IP Address: 192.168.250.51
 
Authentication Details:
Connection Request Policy Name: -
Network Policy Name: -
Authentication Provider: -
Authentication Server: TACCDC19.claimscon.org
Authentication Type: -
EAP Type: -
Account Session Identifier: 31394546453945463246324638364531
Logging Results: Accounting information was written to the local log file.
Reason Code: 49
Reason: The RADIUS request did not match any configured connection request policy (CRP).

 

alemabrahao
Kind of a big deal
Kind of a big deal

You need to create a connection request policy.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Dror
Just browsing

sure but i already have one configured.

Meraki11.jpgMeraki12.jpg

 

Dror
Just browsing

s there any configuration needed to do on the endpoint ? NIC configurations?

alemabrahao
Kind of a big deal
Kind of a big deal

🤔https://www.virtualizationhowto.com/2018/12/configure-windows-10-for-802-1x-user-authentication/  

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels